We learn about data breaches almost every day, and the first-line victims range from large, seemingly sophisticated companies to the local dentist’s office. Our ability to assess and understand a company’s cyber hygiene has been fairly limited, so knowing who’s safe has been a guessing game — until now.
A new generation of cyber ratings firms, led by BitSight Technologies and SecurityScorecard, are becoming known for rating a company’s cyber hygiene in much the same way that Moody’s and S&P set the standard by which we understand their creditworthiness. These firms could have a profound effect on how companies understand their own level of cybersecurity and decide which vendors they wish to select and retain.
Since we’re all connected electronically today, a company’s cyber defenses are really only as strong as the weakest partner with access to its network. Target Corp. brought this issue to light after we learned that hackers breached the retailer by first gaining access through an HVAC vendor with poor cyber hygiene. Overnight, organizations started viewing their vendors as threats of a type that they never imagined.
To the extent they’re even pursued, traditional forms of cybersecurity due diligence include asking the vendor for a completed questionnaire or perhaps having them submit to onsite interviews and a penetration test. Those efforts have value, but they are time-consuming, offer only a snapshot of the state of security, and can be incomplete and arguably irrelevant the next day, as hackers can emerge without warning.
The new cyber ratings firms size up companies like a hacker would on a continuous basis, in a non-invasive way. They offer a numerical, FICO-like rating or a letter grade, much like the credit rating agencies employ. Performance levels for any of these factors can instantly raise or lower a rating.
Assessing cyber risk is a natural complement to other elements of a third-party vendor risk management process. Most companies already monitor the financial condition of their key vendors in order to minimize the chance of a supply disruption from one that goes bankrupt. They may also monitor social factors to avoid those vendors that may, for example, employ underage workers. Bringing cybersecurity into the vendor risk discussion requires a cross-functional effort that typical involves finance, operations, procurement, and now IT.
As these ratings become more visible in the marketplace, companies that have invested in security will enjoy a competitive advantage over their less cyber-hygienic peers.
Armed with this rating data, and reports that can be generated that drill down on all the factors, a company can decide the level of cyber risk it is willing to tolerate for each of its vendors. If a vendor’s score were to become unacceptably low, the company employing that vendor could be prescriptive about remediation and threaten to switch vendors. Business will be won or lost based, in part, on cyber hygiene.
Cyber risk underwriters will be able to make decisions based on objective, real-time data, and reward more secure clients by charging lower premiums.
Those responsible for cybersecurity will be more effective in justifying necessary technology expenditures and changes in organizational behavior that can improve their condition.
In time, we may even learn that higher cyber scores are associated with higher price/earnings multiples and valuations in M&A transactions.
Cyber ratings firms continuously monitor vast amounts of publicly accessible information flowing across the Internet and build profiles of companies and how their performance trends over time. They evaluate numerous factors that affect their perception of a company’s cyber hygiene and use algorithms to calculate a score for each of the factors and determine an overall rating. Those ratings can be compared to a peer group to determine relative risk.
They watch hacker activity in the dark web. For example, the moment a block of a company’s customer credit cards began trading on an underground forum, that company’s rating would decline because an adverse event had occurred. Many of the large retailers whose point-of-sale devices got hacked learned of it months later — when the FBI called them to inform them of the breach.
These firms design and deploy honeypots and sinkholes in data centers around the world to trap and filter web traffic flowing through major Internet connection points. They measure the extent to which malware, viruses, botnets, and spamming software flow to and from identifiable IP addresses to indicate the level of malicious behavior. The more malicious behavior, the lower the rating.
Individual consumers and business customers have different expectations regarding fair compensation for data breaches. It’s unlikely that very many consumers permanently stopped shopping at Target because of the breach that occurred in 2013. Industry practice typically involves the grant of one to two years’ worth of credit monitoring for aggrieved consumers, and that seems to mollify them. Considering the stakes involved, businesses, on the other hand, take the cybersecurity of their vendors much more seriously, as that can represent a source of considerable risk.
Greater cyber transparency will force every company to raise its game. Organizations that invest in cybersecurity and enjoy high cyber ratings will compete more effectively in a marketplace that makes business decisions based on the desirability of strong partners, rewarding the secure and punishing the unhygienic.
Craig Callé is CEO of Source Callé LLC, a consulting firm that makes organizations more data centric. He is a former CFO of Amazon.com’s Digital Media and Books businesses and other companies, and was an investment banker at Salomon Brothers. Prior to starting his firm, he was chief strategy officer at SHI International.